11-21-2013 02:10 PM - edited 03-11-2019 08:08 PM
I have a ASA 5505 running 8.2(5). I have a guest network configured on it's own interface and using a public DNS server. I need to be able to access a web server that is on the inside interface using the web server's public IP.
The guest network uses 10.0.6.0/24 and the inside network uses 192.168.0.0/24. The public IP of the webserver is x.x.139.171 which is NATed to 192.168.0.171.
I have seen some things mention using hairpinning or DNS doctoring, but I am not sure that those methods apply to this situation since we are working with two interfaces.
Is this even possible to accomplish?
I can post the config file if necessary.
Solved! Go to Solution.
11-22-2013 12:41 AM
Hi,
To my understanding the first option might be adding the "dns" parameter to the existing Static NAT unless already present. The Static NAT configuration should ook something like this
static (inside,outside) x.x.139.171 192.168.0.171 netmask 255.255.255.255 dns
The "dns" parameter should do so that the ASA will rewrite the DNS reply from the public DNS server when a internal host queries for the IP address of the server. The ASA should therefore forward the DNS reply with the internal IP address and the connections should work.
Alternatively, you could configure the same Static NAT from "inside" to "guest" (presuming your interface names since I have not seen the configurations)
static (inside,guest) x.x.139.171 192.168.0.171 netmask 255.255.255.255
This would mean that the hosts behind "guest" could connect to the server 192.168.0.171 using the public IP address x.x.139.171
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
11-22-2013 12:41 AM
Hi,
To my understanding the first option might be adding the "dns" parameter to the existing Static NAT unless already present. The Static NAT configuration should ook something like this
static (inside,outside) x.x.139.171 192.168.0.171 netmask 255.255.255.255 dns
The "dns" parameter should do so that the ASA will rewrite the DNS reply from the public DNS server when a internal host queries for the IP address of the server. The ASA should therefore forward the DNS reply with the internal IP address and the connections should work.
Alternatively, you could configure the same Static NAT from "inside" to "guest" (presuming your interface names since I have not seen the configurations)
static (inside,guest) x.x.139.171 192.168.0.171 netmask 255.255.255.255
This would mean that the hosts behind "guest" could connect to the server 192.168.0.171 using the public IP address x.x.139.171
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
11-23-2013 07:19 PM
Remember that when you are coming from a lower security interface to a higher, in this case the inside, you must configure ACL.
If you have NAT control configured you can configure an ACL that permits tcp/80 from the DMZ network to the translated address (X.X.139.171) then deny IP from the DMZ to any other port to this server global address a deny from the dmz to the local network (inside) and then a permit IP from the DMZ network to any, obviouly apply the ACL name or number to an access group applied to the DMZ interface.
Value our effort and rate the assistance!
11-25-2013 07:59 AM
The DNS rewrite did not work, but the additional static NAT statement did. Thank you.
11-25-2013 08:05 AM
Hi,
Glad to hear it worked out
I am not sure why the "dns" parameter didnt work. It should work for users behind other interfaces too even though the "static" command might refer to different interfaces.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide